fix(user_role): Restrict updating user role to the same EntityType (#…

…6224)
juspay · Oct 7, 2024 · b499287 · b499287
1 parent da6c0ff
commit b499287
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/crates/router/src/core/user_role.rs b/crates/router/src/core/user_role.rs
@@ -153,6 +153,14 @@ pub async fn update_user_role(
             ));
         }
 
+        if role_info.get_entity_type() != role_to_be_updated.get_entity_type() {
+            return Err(report!(UserErrors::InvalidRoleOperation)).attach_printable(format!(
+                "Upgrade and downgrade of roles is not allowed, user_entity_type = {} req_entity_type = {}",
+                role_to_be_updated.get_entity_type(),
+                role_info.get_entity_type(),
+            ));
+        }
+
         if updator_role.get_entity_type() < role_to_be_updated.get_entity_type() {
             return Err(report!(UserErrors::InvalidRoleOperation)).attach_printable(format!(
                 "Invalid operation, update requestor = {} cannot update target = {}",
@@ -218,6 +226,14 @@ pub async fn update_user_role(
             ));
         }
 
+        if role_info.get_entity_type() != role_to_be_updated.get_entity_type() {
+            return Err(report!(UserErrors::InvalidRoleOperation)).attach_printable(format!(
+                "Upgrade and downgrade of roles is not allowed, user_entity_type = {} req_entity_type = {}",
+                role_to_be_updated.get_entity_type(),
+                role_info.get_entity_type(),
+            ));
+        }
+
         if updator_role.get_entity_type() < role_to_be_updated.get_entity_type() {
             return Err(report!(UserErrors::InvalidRoleOperation)).attach_printable(format!(
                 "Invalid operation, update requestor = {} cannot update target = {}",